1. ca
2. msp
3. orderers or peers
4. users
The ca needs to have:
1. private key
2. certificate
The msp needs:
1. admin certificate
2. the sign cert is the same as the CA certificate
Each user needs: msp and tls
for msp:
1. keystore private key
for tls
2. tls server.key - need to generate
3. tls server.crt - need to sign with CA certificate
Each peer needs: msp and tls
for msp:
1. keystore private key - need to generate
2. sign certificate - need to generate with ca certificate
for tls:
1. tls server.key - need to generate
2. tls server.crt - need to generate with ca certificate
Each orderer needs: msp and tls
for msp:
1. keystore private key - need to generate
2. sign certificate - need to generate with the ca sign certificate
for tls:
1. tls server.key - need to generate
2. tls server.crt - need to sign with the ca certificate
The process to create all the certificates
1. Create CA private key and certificate
2. Create a private key as the admin user keystore key, then use CA certificate sign the private key
to create the admin certificate
3. For either orderer or peer, create a private key as the msp keystore private key, then use CA
certificate sign the private key to create the peer or orderer certificate
4. Regardless it is a user or peer or orderer, each will need tls keys. Create a private key, then use
CA certificate sign the private key to create the user, peer or orderer sign certificate.
Looks like fabric uses pkcs8 format rather than the traditional ec format, so use the following command to convert.
openssl pkcs8 -topk8 -nocrypt -in tradfile.pem -out p8file.pem
Here is an example.
1. Generate a CA private key
openssl ecparam -genkey -name prime256v1 -noout -out ca.key
2. Convert that key to pkcs8 format (Do not have to do this)
openssl pkcs8 -topk8 -nocrypt -in ca.key -out ca.sk
3. Create certificate for CAopenssl req -x509 -new -SHA256 -nodes -key ca.sk -days 1000
-out ca.crt -subj "/C=US/ST=NC/L=Cary/O=orga/CN=ca.orga"
4. Generate a private key for a server or user and convert to pkcs8 format
openssl ecparam -genkey -name prime256v1 -noout -out server.keyopenssl pkcs8 -topk8 -nocrypt -in server.key -out server.sk (optional)
5. Create a certificate signing request (CSR)
openssl req -new -SHA256 -key server.sk -nodes -out server.csr
-subj "/C=US/ST=NC/L=Cary/O=orga/CN=peer1.orga"
6. Once generated, you can view the full details of the CSR: openssl req -in server.csr -noout -text
7. Now sign the certificate using the CA keys:
openssl x509 -req -SHA256 -days 1000 -in server.csr -CA ca.crt
-CAkey ca.sk -CAcreateserial -out server.crt